Malware Analysis Report

2025-01-19 08:04

Sample ID 240610-qn3rraxbne
Target 9acec844e5e3c2cda740381576ecb934_JaffaCakes118
SHA256 06b50615389caae2f58f24e50f1c3bd9164652aff0719a1ba649f4f83401806f
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

06b50615389caae2f58f24e50f1c3bd9164652aff0719a1ba649f4f83401806f

Threat Level: Likely malicious

The file 9acec844e5e3c2cda740381576ecb934_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Checks Android system properties for emulator presence.

Checks Qemu related system properties.

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 13:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 13:25

Reported

2024-06-10 13:28

Platform

android-x86-arm-20240603-en

Max time kernel

57s

Max time network

170s

Command Line

com.guoshujinfu.gscredit

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A
Accessed system property key: qemu.hw.mainkeys N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/classes.dex N/A N/A
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/classes.dex N/A N/A
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.guoshujinfu.gscredit/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.guoshujinfu.gscredit

chmod 755 /data/data/com.guoshujinfu.gscredit/.jiagu/libjiagu.so

com.guoshujinfu.gscredit:channel

sh -c ps

ps

ps daemonsu

ps | grep su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp

Files

/data/data/com.guoshujinfu.gscredit/.jiagu/libjiagu.so

MD5 8f55d5deb281d8aa1a0b9f72f7185e58
SHA1 5ce262af6a74a11931bf4b1e92a59b9acab27f37
SHA256 b57aa883bd4a8241fe2ebbeec0988614da1ad453f5784f3439335a6f800c7944
SHA512 4d74f007dc4a19ac3a8ae3434f06d2509397301c0a9b0288475280801c8907ce48248459436416fb14fc5a3a6ce790d680b6b9c95d35afc49c2f0639199b56f6

/data/data/com.guoshujinfu.gscredit/.jiagu/classes.dex

MD5 52bfa71a798e0b01536bdb4380ee81d4
SHA1 1cef119980b83a167045dd834f8a8a5ba4177f40
SHA256 1775f6f69678cfc7cdd899021a17b19cb366d5ba839847c84396b4fcda91849d
SHA512 932b3f7d03c8ceb4fb643543b376c7f8334fe5ef78df6312d476f65851f2ff4dac2b1c3d1f126082419d3c2050b58b93339f7d8670e698258ecfce981a4d9efa

/data/data/com.guoshujinfu.gscredit/.jiagu/classes.dex

MD5 01d1b0675fa17fc0fa45ac720f89376c
SHA1 34febd273c211e493a548a5a4dbcedb95221c286
SHA256 4a22f51eb92a8a59ffdcca338cf9eda8a677a27aec285e73158e26c53eca78ba
SHA512 d22d04865bd10745db4eb812cbc41b8a0c87a111ac320c304342f9349cd3a20f6683074df73af93a3f756faa7be385221f49dfea2b890c4b5513d06c8b8d20f9

/data/data/com.guoshujinfu.gscredit/.jiagu/classes.dex!classes2.dex

MD5 132a49bb4e596a6facfe0b288b572cfd
SHA1 db218a2f7fac910529a6fe779f64bb5cdf92848c
SHA256 958e7f990aac0ad60af6776fc72d155e0951da3ca91d7e6189b501f6d62a2040
SHA512 1b7b7b6a1ccdff01797a04cc004fd1cea883daaa15a94d1c673fc33712a4f09730c63e3c30ae8b2a824156a9f015068821a30a4bb98fc98655f47feea11a0d1c

/data/data/com.guoshujinfu.gscredit/.jiagu/tmp.dex

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.guoshujinfu.gscredit/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.guoshujinfu.gscredit/files/.jglogs/.jg.ri

MD5 f8db093393a8b25939b610485db0fc4c
SHA1 5631bc1124d1088b6f584bdfd817a4c78f0da93c
SHA256 8e68f76d393107725246fd498b62f66f2af420574a5e4afaaedd12f7a9554f7b
SHA512 a690795feaf749298bf5a4a7d0655c7c78d57ad4fe5811c818e5cb972abf8aa543af421f3202b2151d9958c0a0c642a4196552633cdd590efdb62ae48c941131

/data/data/com.guoshujinfu.gscredit/files/.jiagu.lock

MD5 acfa534eacb09428ca0e0b00b2cd94fb
SHA1 b3cfc5947c5ae98ff28aaafb1f113cff11a37ea4
SHA256 3165ebf3cfc8d079c6cbbc8383f4261e6532475865168c21521ec6e888051b75
SHA512 3eec7b86a1365d5e0fc1dc886a9209a370f8ebf9329a148f27685d2d35960e88fcb6d11dc875617225d0fa2324262e5d9205e3cecc8593f014b9dd9cd9fa9510

/data/data/com.guoshujinfu.gscredit/files/.jglogs/.jg.ac

MD5 6f2f01d5df4fa8c7ba4ecfa4118bb9d0
SHA1 5ca7caba33e582cb40a7d8a9d279bf72e06d5855
SHA256 c651bf46aa21f8129c2d82f3e866cf9a4c41c55c1fb4d57c6e6b02db238d0187
SHA512 e73479884435d7d2e0920bddef61d168741c72d4956f40a92f8728fefcf1c49b2254aff3c1267b8c81c7c5657f654f7454a5a04fe87eb390cfb9040c0c1db165

/data/data/com.guoshujinfu.gscredit/files/.jglogs/.jg.ic

MD5 b7fc5ec4d60a402a1d1fd3f865240f49
SHA1 004ade81da4c8b9d3feb9b372ef227cfafbd28f0
SHA256 dad67ad5cdb33c05a64a5b7365b17aa75619fe652319dc16e898e3e4ef6d6792
SHA512 9d25703905da22a976f90c79ac9f7c23d53d25fb39da0e35306aa85fc23721775f35362969f58011d08c2a9617ae546b1fb5cbf01afade9a82ad44b20bfd322c

/data/data/com.guoshujinfu.gscredit/files/.jglogs/.jg.di

MD5 2aa0d0c6e4913f85b8847869191d7cb1
SHA1 a9cb2d9873c5f66505ddabc362bf986ae32740b9
SHA256 f9808083229aa9c1dad40dd084cf4e9439379634e39acaf419490546fb7e7046
SHA512 c78268f9fd7ef512dc3ce1852a062a58708a9d6542604c2dbb4a731fb51d6138fb5269160470f7ca2bf4ef89acce77a98222a19f0727a50be09becc6314f365b

/storage/emulated/0/360/.iddata

MD5 5003d1df5fa36a7aba317dc413686b03
SHA1 a0ff3a1f463a7e884bb08f0802eca4715704a4a4
SHA256 a45995ca9f78f08fad2e75b503f7e7c1e9427dd79c119ec1d2083bd65cab561f
SHA512 7e10c63611ef90805bc1bb1b9b8e9d852949fcfe37cdef8f4eaa057f470d3727e4345e2a7587b337a2bad2a482d987a385e7fd94b264bffc22f5544597fe0820

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.guoshujinfu.gscredit/databases/MessageStore.db-journal

MD5 7f17b732f842674d39df3dc14075e79b
SHA1 be4c3eab67960159887df2468ddbd575f899f770
SHA256 faf57eaa0f0bf0ba245c14c9dd9c4c374f645c3b69e3613a072a132833b8c221
SHA512 b82a883c0ea3bdc8ffd079e000500c958885b8a1c4d92d7a234f87ed1077fa2956841cfb056864335186ebedf334d1bbf285508ad10fe70dd579d217c941710d

/data/data/com.guoshujinfu.gscredit/databases/MessageStore.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.guoshujinfu.gscredit/databases/MessageStore.db-wal

MD5 2ab4423dcc5ec0093a63a17013cf5ab3
SHA1 81a02fff04655dbf29f66a988cd7620d77028af6
SHA256 176eae196b60180e5020311d27cbd63aa02978c6bba18c717cab7f47c081b0d1
SHA512 819aae9805cab4d6955f7eda2653831c706ae1b2aa1f41bd13c46151c4d8f955266ddb388fa1b3d84c724ecf713b29a8f1deb66870dc1f1a0b7057e3261c772f

/data/data/com.guoshujinfu.gscredit/files/.jglogs/.jg.di

MD5 f483027b63dfc34a7681c97da5aabefd
SHA1 5b2b2a67cfe1e74a140005963b9ac04097eb8225
SHA256 16437c3b94b498659334830a0ee76ac91e7f67e9380a6d116ed580ae1ae121c7
SHA512 7d7aaa77553ec4591080e460bf920cb4f4ddb98261223d4fc4a0cf0ef6caf52dee2611abd40380951ab70763ffd09d11888a1dddf9341e05ac46f44fa65f43ce

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 13:25

Reported

2024-06-10 13:28

Platform

android-x64-20240603-en

Max time network

187s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
BE 66.102.1.188:5228 tcp
GB 216.58.212.206:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp
GB 172.217.16.227:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.180.10:443 g.tenor.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.169.74:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.166.84:443 accounts.google.com tcp

Files

N/A